Security awareness compliance is transforming. Are you ready?
The SEC’s cyber disclosure rules are a sea change for public companies.
Part of a growing global trend, the rules are a major step forward in enhancing transparency and investor protection in the face of growing cyber threats.
In this blog, we’ll dissect the regs, explore what they mean for the industry, and show how organizations can thrive in the era of mandatory cyber-openness.
What’s happened so far?
July 2023. That’s when the US Securities and Exchange Commission (SEC as it’s commonly known) officially adopted the rules. These rules require public companies to disclose material cybersecurity incidents and provide an annual report on their cybersecurity circumstances.
This wasn’t the first time the SEC had ever mentioned anything about cybersecurity. They issued guidelines in 2011 and again in 2018.
But 2023’s rules formalize and expand the guidance.
What is the SEC?
The SEC is the finance watchdog of the United States. It has three instrumental roles:
-
- Investor guardian: Ensuring companies play it straight and investors get the info they need.
- Market referee: Setting rules for trading and keeping things orderly.
- Capital connector: Helping businesses access funding to grow the economy.
But essentially, everything the SEC does is about fostering a healthy US financial system.
Wait, why is a finance watchdog focusing on cyber?
It’s about markets.
Markets are getting more global and complex.
Cyber threats are too. Whether it’s cyber intrusion, denial of service attacks, manipulation, misuse by insiders, or other cyber misconduct, cybersecurity threats are ever more likely to impact markets and investors.
The SEC’s Chair Gary Gensler explains:
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
The SEC has set its sights on improving cyber risk transparency.
It wants to do this through mandatory disclosures. The aim overall is to safeguard companies, empower investors, and strengthen trust in the markets.
Before we get into how it works, a quick vocab lesson.
What’s a “material cybersecurity incident”? What does “materiality” mean?
Public companies are no stranger to determining materiality. But some teams might be unfamiliar with the concept. So let’s spend a few seconds nailing down the definition.
A material cybersecurity incident is one that could significantly impact a company’s finances, operations, or reputation.
Assessing materiality involves considering factors like:
-
- financial impact
- reputational damage
- regulatory action
- scope
- severity, and
- the potential for future harm.
The SEC emphasizes a rational and objective evaluation based on the overall circumstances.
The ultimate decision rests with the company’s management, informed by internal assessments and legal counsel. This approach ensures a balanced and informed response to cybersecurity incidents under the new regulatory guidelines.
It’s important that CISOs and their teams have a grasp of what materiality means.
What must companies do?
It’s a two-pronged approach, so all public companies that trade in the US will have to do two things:
Companies must publicly reveal major cyberattacks within 4 days
Public companies must now disclose material cybersecurity incidents within 4 business days of establishing materiality (more on that word below).
They must do this in a dedicated form, detailing the nature, scope, and timing of the incident, along with its material impact or potential impact on the company.
Extra time is only allowed if the Attorney General raises national security or public safety concerns.
Companies must disclose cyber landscape information annually
As part of an annual return sent to the SEC, companies must disclose material information on their cybersecurity risk management, strategy, and governance. This will be done as an annual report.
The form asks companies to describe:
-
- Processes (if any) for assessing, identifying, and managing material risks from cybersecurity threats.
- Material effects or reasonably likely material effects of risks from cybersecurity threats
- Previous cybersecurity incidents.
- The board of directors’ oversight of risks from cybersecurity threats.
- Management’s role and expertise in assessing and managing material risks from cybersecurity threats.
What else?
These rules apply to international companies too.
For companies based outside the US (foreign private issuers), the rules are similar.
They’ll need to report major cybersecurity incidents quickly (on Form 6-K) and give an annual overview of their cyber risk strategy and management (on Form 20-F).
Smaller companies get some breathing room.
While most companies will start reporting material cybersecurity incidents within four business days, smaller ones have an extra 180 days to adjust.
The future is formatted.
All companies will eventually need to tag their disclosures with specific data formatting, but they have a year after their initial reporting to implement that.
First to fall foul: The SolarWinds enforcement sets a precedent for CISOs
In October 2023 the SEC initiated enforcement action against SolarWinds and its CISO for alleged misrepresentations regarding the company’s cybersecurity posture.
The SEC’s case centered around allegations that SolarWinds and its CISO engaged in misleading disclosures about the company’s cybersecurity practices and vulnerabilities.
This includes claims that the CISO knowingly made public statements about the quality of the company’s software products that contradicted internal knowledge of security deficiencies.
Additionally, the SEC alleges that the CISO participated in public forums advocating for robust cybersecurity programs while the company’s own internal controls were demonstrably inadequate.
Implementation is one thing; enforcement is quite different. This unprecedented action sends a clear message:
Compliance is not optional. And accountability extends beyond mere filing requirements.
But SolarWinds pushes back
SolarWinds roundly challenged the SEC’s accusations. They argued that they responded promptly and transparently to the attack. They even called the SEC’s charges unfounded and unprecedented, accusing the SEC of “revictimization.”
This move suggests the new regulations (or following them) may not be as straightforward as companies initially anticipated. Legal battles could arise around interpretations of materiality, disclosure requirements…even the SEC’s authority in the industry.
It raises questions about the gray areas of compliance and the burden of proof on companies to demonstrate their cybersecurity efforts.
As with many legal and regulatory playbooks, the devil’s in the details.
Still, as strong as their response is, few would doubt that SolarWinds would do things a little differently if they got a second chance.
But until time machines hit the market, SolarWinds is stuck firmly in cautionary tale territory.
What does the SEC’s rules and enforcement mean for the future of cybersecurity and CISOs?
Here are three big things you’ll need to factor into your next move.
1. Transparency takes center stage
The SEC’s spotlight shines brightly on vulnerabilities, demanding open communication and robust incident response plans. Gone are the days of secrecy, as organizations must now embrace transparency as a cornerstone of their security posture.
This shift puts CISOs squarely in the driver’s seat, calling for a proactive approach to risk management and mitigation.
2. Compliance blackmail is now a thing
With the SEC wielding increased oversight, cybercriminals have gained a new tool: compliance blackmail.
Regulatory frameworks can be exploited, forcing organizations caught in the crossfire to navigate a precarious path between ransom demands and potential SEC enforcement.
It’s going to take robust security postures, well-defined incident response protocols, and clear communication strategies to steer clear of catastrophe.
3. “People risk” rises to the top
Generic risk assessments and superficial metrics are no longer enough.
Organizations must delve deeper. There’s now even more reason to cultivate a holistic, robust cybersecurity consciousness. There’s even more need to tailor programs to individual and organizational human cyber risk profiles.
Understanding individuals’ behavior, analyzing past incidents, and segmenting and utilizing robust data. All three are key to uncovering and mitigating vulnerabilities in this critical area.
Takeaways
The SEC’s latest move is part of a growing global trend. Mandatory cybersecurity incident reporting and disclosure is increasingly prevalent.
This trend reflects the increasing recognition of the importance of cybersecurity in protecting investors, consumers, and critical infrastructure.
Whatever you do, don’t ignore these two elements of the shifting tides:
Dawn of the age of human risk (finally)?
The SEC’s new game plan pushes human risk management to the frontlines.
Deeper behavioral analysis, targeted training, and ingrained vigilance—these are key to helping your people become the proactive defenders they want to be.
2024 is about organizations with empowered and informed people at their core.
The SEC’s message is clear: invest in human risk management.
Our definitive guide to human risk management will make sure you’re roundly informed, and will inspire your game plan.
Fast, data-driven responses matter (even more)
The SEC’s regulatory ramp-up calls for rapid incident response, and precise risk quantification.
Our partners and customers have been relieved that they can navigate the new SEC regs with confidence. They are delighted to find that CybSafe RESPOND is playing a pivotal role in this.
RESPOND offers automated workflows and pre-configured reporting. Both of these features significantly streamline incident response, through rapid containment and minimizing potential damage. This translates to swift compliance with regulations and a demonstrably resilient security posture.
If you’re serious about transforming security awareness compliance into a competitive advantage, get the lowdown on RESPOND, and see it in action.